Google is spearheading a volunteer workforce it hopes will become the centralized authority for responding to security issues in open source software.

The loose coupling of data drawn from different systems is one of the enduring appeals of mashups. However, what if some of that data needs to be handled securely, or it is necessary to log in to some or all of the data feeds? What if the mashup as a whole represents some form of sensitive system - now security is an issue.

RSA The US government is to shut thousands of points from which outsiders can access federal computer networks to about 50, Homeland security chief Michael Chertoff revealed today (Tuesday).

In a keynote at the RSA Conference in San Francisco, Chertoff outlined the government's plans to protect itself from cyber attack. he even compared this to a digital "Manhattan Project" in terms of impact and importance. So no lack of ambition there.

RSA Six years after scrambling to lock down Windows and having challenged security vendors on home turf with Windows Vista, Microsoft is calling for a "dialogue" over online security and privacy.

The phrase "Rich Internet Applications" has become a popular term for applications that run inside your browser or on your desktop and that interact with web applications or web services. RIA platforms include JavaScript (part of the AJAX umbrella), Adobe System's AIR, Microsoft's Silverlight, Java applets, and Java JFX from Sun Microsystems.

Sure, they look pretty with all that video, those rounded buttons and pop-up Windows - but should we trust them? These applications are, after all, downloaded from websites that can be good, bad or compromised. So what's there to protect users and server applications from a renegade RIA?

RSA The idea of throwing random test data at a program to see if it cracks has been around in one form or another since the beginning of software development. A formalized approach called fuzzing, based on Professor Barton Miller's work at the University of Wisconsin in the late 1980s, is undergoing a revival as a means of testing the security of applications.

Keyless entry systems are ubiquitous, from locking your car to accessing the restricted corridors of government and corporate power. It's therefore troubling to learn Wikipedia reading egg heads have cracked the encryption of a device widely used in a variety of keyless entry systems. There goes the girlfriend's VW, you thought you'd locked.

Fundamentally, there's nothing terribly new about the problems posed by Asynchronous JavaScript and XML (AJAX) when it comes to security, we just need to apply some good old security principles to this new technology.

The problems occur because, unfortunately, there are an awful lot of devils hidden inside the details.

Call it co-incidence or call it necessity, but Microsoft has jumped on-board a Yahoo!-backed initiative to give internet users a single digital identity.

Yahoo! has pledged to support OpenID from the end of the month, giving a massive boost for the online identity framework that aims to cut password headaches.

Think you've protected your web applications from cross-site scripting (XSS) vulnerabilities? The odds are against you. Roughly 90 per cent of web applications have this problem, and it's getting worse as web applications and web services share more and more data.

Many frameworks and libraries are encoding, decoding, and re-encoding with all kinds of schemes and sending data through new protocols. Ajax and other "rich" applications are complicating this situation.

Microsoft plans to issue seven security patches next Tuesday, three of which are rated "critical" because they could allow an attacker to remotely execute malicious code on an end user's machine.

Our recent article about the fine line between security and usability started some very interesting discussions and active criticism, most of which was targeted at us - suggesting that security and usability do not form a one-or-the-other type relationship (or are at least far more independent than dependent on each other).

We already know that, and now you know that.

Once again, there's a new version of QuickTime media player, and if you know what's good for you, you'll install it soon, whether you use Windows or OS X.

Comment Aspect-oriented programming (AOP) is a paradigm that is quickly gaining traction in the development world. At least partially spurred by the popularity of the Java Spring framework [1], people are beginning to understand the substantial benefits that AOP brings to development.

Trend Micro has acquired data leak prevention firm Provilla, in an agreement that expands its business beyond its core antivirus and content security markets. Financial terms are undisclosed.

Leading IT vendors have clubbed together to form a new organisation geared to increasing trust in IT products and services through software assurance.

GrIDsure has teamed up with secure communications firm Masabi to create a mobile version of the pattern technology that's touted as a replacement to PIN-based identity systems.

Oracle is to release updates on Tuesday that patches 51 security vulnerabilities across hundreds of products.

The update will fix 27 bugs in the Oracle database, the company's flagship product. Five of them can be exploited over a network without the need for a username and password. None of the fixes are applicable to client-only installations of the program.

Microsoft pushed out a series of five patches for Vista early this week.

The updates - two of which were rated important, two are recommended and one optional - took security observers by surprise because they were released outside Microsoft's normal Patch Tuesday update cycle.

A less-annoying version of Windows Vista is still several months away.

This morning, with a post to the official Windows Vista blog, Microsoft said that the first Vista Service Pack will likely arrive at the beginning of the year, after the usual far-flung beta test. As SP1 betas continue to turn up on file-sharing sites across the web, the company will roll out an official beta "in the next few weeks," hoping to iron out more than a few kinks in the little-used operating system.

Over the weekend, thousands of Microsoft customers who tried to download patches or updates for Windows were falsely accused of running a pirated version of Windows.

Microsoft blamed the Windows Genuine Advantage (WGA) glitch on server problems, since fixed. WGA is an anti-piracy program which determines the validity of Windows software running on customer PCs - and phone backs to Redmond with the results.

One of the issues plaguing identity management and online authentication systems is how to accurately validate the identity of the system or user connecting to a service.

Symantec and Intel have teamed up to develop security technologies that operate underneath an operating system.

Project Hood uses virtualisation technology developed by Intel to run security "appliances" directly on chips. The technology would allow security functions to operate below the level of Windows or other operating systems that a system is running.

Microsoft's monthly patch fest for August included fixes for 14 security holes, including critical flaws in Internet Explorer, Excel and in Windows components such as XML Core Services, Vector Markup Language and Object Linking and Embedding automation.

Microsoft will offer the next major version of its XNA Game Studio pro- and amateur-oriented Xbox 360 game creation tool for download later this year, the software giant has said.

Security provider Trend Micro yesterday announced a brace of Microsoft-based strategies, rolling out improvements for its combo offering on Vista and proclaiming that it will handle antivirus for Hotmail/Live webmail services for a further year.

Red Hat last week continued its appliance assault via a partnership with Symantec.

The companies have crafted a pair of software bundles meant to give Linux customers easier access to high-end security features. Customers can pick from pre-tested packages that included Red Hat Enterprise Linux or the Red Hat Application Stack with Symantec Critical System Protection. As you might expect, the packages are aimed at small- to mid-sized business that could use some help securing their data centers with relative ease.

Microsoft is prepping a security software suite that will take it deep into Symantec and McAfee heartland. They won't be quaking in their boots just yet: the suite, called Stirling, hits the streets in 2009, at the earliest.

Stirling integrates Microsoft's anti-virus, anti-spam and content filtering software, Internet Security and Acceleration (ISA) Server, Forefront Client Security and network access control tools while working with the Microsoft Network Access Protection (NAP) policy, Microsoft said today.

Review Microsoft has gone out on a limb to promote Vista not merely as "the most secure version of Windows ever" (every recent version is marketed with that tired slogan), but for the first time as an adequately secure version of Windows. "We've got the message and we've done our homework", the company says. So let's see if the reality lives up to the marketing hype.